NYCPHP Meetup

[Gary Mort]

A plea to anyone setting up a website where you will have users log on. 
Make your default password rule something simple, like any 4 
charectors.  A password complexity system should allow for multiple 
tiers of rules with configurable default rule that is set, by default 
:-), to something simple.  Tune those tiers and defaults based on your 
website need, not by blindly implementing the preachings of the high 
priests of security.

This is not the security nightmare many so-called "experts" try to lead 
you to believe.  In  fact, it is just the opposite.  If you require 
users to use long passwords with 'complexity' then it doesn't really 
matter how you choose to encode and store those passwords, you might as 
well be using cleartext storage. Most people will use the same password 
on every website they sign up for when forced to make them complex - so 
no matter how securely you hash that password, it's stored on dozens of 
other websites as well - so the account on your website is only as 
secure as the weakest security all those websites they have used it on 
is using.

The problem is that since open source software tends to blindly follow 
the "experts", they all default to either 'mixed case with numbers' or 
'mixed case with numbers and symbols'.

A google account which is often used as a hub for other logons, access 
to e-mail for password resets, etc should use a long, difficult to 
remember, complex password.

But your NYPHP e-mail list password - which can only be used to change 
your e-mail subscription options?  You can't even post to the list with 
it.  No reason to insist on 'complex' passwords.

If you use password authentication for user accounts, then base your 
rules on your needs.  Site owner/Super Admin/Developer accounts should 
require complex passwords and two factor authentication.  Day to day 
site manager accounts most likely only need complex passwords[based on 
potential damage of a compromised account...if a site manager can give 
out refunds and credits for an e-commerce site, obviously you want to 
add extra security!]

User accounts which can access sensitive user data[credit cards, payment 
methods, etc... though really you shouldn't allow read access to that 
data!] need complexity.  User accounts which can do things like make 
payments using saved payment methods need complexity.

User accounts which can only add items to a wishlist or cart, post forum 
messages, etc don't need complexity.  YOU may not want someone to be 
able to post to a forum with your account - but that doesn't mean you 
have to force complexity on others - you can choose complexity 
voluntarily and let the users decide how complex/safe they wish their 
passwords to be.

Every time I browse around to some interesting looking website where I 
have to "create an account" to access something I get increasingly upset 
at those sites trying to force their idea of security on an account that 
I don't care about.  If I decide I want to actively use the site and am 
giving it sensitive information, I will change that password to 
something complex.  If I never return to that site, then I don't care 
about the account.